david_obrien (u/david_obrien)

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

anamax · 4 years ago

Put low prices on the pricing page together with a note along the lines of "prices/terms are negotiable". That page should probably also mention that customers now will always pay less than later customers.

Be as friction-free as possible. When you talk with someone, ask if there is anything that would have helped. (The problem being that you want to hear from the folks who didn't talk with you.)

Note - while you want an interesting number of paying customers, you don't want any bad customers, where bad means "suck up a lot of time, provide no benefit."

Be flexible up to the point where you feel that you're being take-advantage of.

For example, if you're offering 15 days free and you're asked for 30, that's probably okay (and may be useful information telling you what you should offer). However, if someone demands 6-12 months, thank them and tell them to go elsewhere, nicely.

david_obrien · 4 years ago

Thanks, those are great tips and I've just implemented some of those.

Thanks again, this is super helpful!

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

victor106 · 4 years ago

Thanks David,

> Based on my understanding of CloudGuard we differentiate again by the "automated investigation" we do. It's not just a "you have misconfigured this thing here" but then also "because of that misconfiguration this following resource is now exposed to the internet

CloudGuard does this exact same thing. WE just had our AWS env. scanned and they did tell us that one of our S3 buckets had a wildcarded principle. It documented the exact bucket name and the policy we used.

I agree that the diagram is something I haven't seen from other vendors in the space.

But I am still struggling to understand the differentiation of the other features.

david_obrien · 4 years ago

A wildcarded principle by itself doesn't mean too much. There are settings outside of the S3 bucket access policy that can mean "it doesn't matter what the bucket thinks".

This here is something other products typically don't check, and because of that create a lot of noise that a person has to check through. https://www.youtube.com/watch?v=kMi5PSyFu8s

Other products only look at properties in isolation. As I mentioned the SG rules only become security relevant if many other things in an environment are also true, ARGOS checks for those, others typically don't. Only one example of our "context awareness".

The diagram shows the "kill chain" of how someone could laterally move through your environment, again something others typically don't do.

I said it before, we don't find more, we help you find the ones in the noise that actually matter from a security point of view.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

egberts1 · 4 years ago

What made me think it was for enterprise was as the few other commentators have said: pricing, wordings, and …

lack of the superficial First wave demo. This is the thorny issue that nearly plagues every marketing/sales.

Assuming that my own restrictive criteria were cast aside, I would be even more intrigue by some example eyeball-catching (and perhaps semi-interactive) faux outputs. For me, this would prompt me to contact you for more details of which i expect a set of authentication info for me to visit and look around as well as take a call for some Q and As.

Again, this last step is the fishing lure that enables those who are severely time-constraint to make that “last judgement” to bite that marketers and sales ever so want to cast … and snag.

However, enterprise folks may have more time on their hand (as opposed to SMB-like folks) and may make that push to elicit for a more personal feedback … without that semi-interactive demo.

Of course, the real danger to any demo is the lack of differentiation from what they already may have could translate to lost sales opportunity.

david_obrien · 4 years ago

Thanks for the further details.

Did you see the short video on the first page? It's a bit further down and might need to be pulled up. We have two other videos under "Resources/Videos" as well.

I am currently working on a "longer demo video" that shows ARGOS's full potential and differentiation.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

victor106 · 4 years ago

Looks like a cool product.

How does this compare to Checkpoint CloudGuard?

david_obrien · 4 years ago

Thanks!

Based on my understanding of CloudGuard we differentiate again by the "automated investigation" we do. It's not just a "you have misconfigured this thing here" but then also "because of that misconfiguration this following resource is now exposed to the internet (we checked, it is!) and it's exposing these other resources as well, look, here's a diagram that shows you this."

This is what products like CloudGuard expect you to manually do. They approach security from a compliance point of view. "You are violating control XYZ from framework ABC, so you are less secure." Unfortunately, it's not that simple.

An AWS EC2 instance should not have a Security Group on it that allows RDP from the internet, that's true and should probably be flagged, but in itself is not a security issue. It only is if the EC2 has a public IP (or a public Load Balancer), the VPC has an internet gateway and there's no NACL blocking the traffic. This is just one part of what ARGOS checks, what others just don't and expect you to do manually, for each of their hundreds and thousands of critical detections.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

operator-name · 4 years ago

Please disable automatic capitalisation on the "Request Your 30-minute ARGOS Demo" email field.

david_obrien · 4 years ago

oh wow, never noticed. I will see if I can disable that. That's an odd one.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

windexh8er · 4 years ago

The landing page looks nice. I feel like, based on your comments, you really are trying to build a product for customers - and not building towards some esoteric sales figure. Some comments from someone who's worked for a number of "enterprise" security vendors over the last decade...

Your product is competing in the CNAPP (Cloud Native Application Protection Platform) space. I'm sure you already knew this, but you may want to look at how companies have merged CSPM/CIEM/IaC/etc tooling to get to this "Gartnerized" name and just know who's who in the competitive landscape.

14 days isn't long enough to make a decision for most organizations unless they are really small. I'd suggest leaving that in place but also extending that to 30-45 days (1 month workflow) for prospects that will, in turn, go through additional resistance to validate they're truly viable customer candidates. Those things could be a 15 minute qualification call where you have a list of things you want to review with them to understand the fit (good feedback loop for you in features).

Standardize on your pricing - you need to understand this so you're both not losing money and so that you don't turn customers away because of the unknown. You can always have a custom pricing tier or an "Ask Us" option. If you don't know what your baseline cost for a customer is - then figure it out quickly.

Demos can go a long way - since you're a small shop you need something that won't soak your time, so I'd suggest taking your customer's top couple pain points and recording a nice looking demo that won't cost them more than 10 minutes to watch. People in this space want to see the product. There are so many security tools that a lot of buyers already have too many - so they want to see what it is and many customers are also looking for ways that new tooling can be integrated into existing workflows. There is no "single pane of glass" anymore for customers and instead it's morphed into, as I like to refer to it: "single pain of glass", because every vendor claims you only need them. Right.

If you have any questions I'd be happy to chat - [my_hn_name] at counterbrea dot ch. Best of luck!

david_obrien · 4 years ago

I am indeed. I've seen those issues one too many times as a consultant, and I never got to really(!) fix them as I was only ever brought in as a band aid really, not strategically.

Yeah, CNAPP is the new acronym for where we probably best fit right now. I will continue checking out some of the other players.

I initially had a 14 day trial, then people (not potential customers) told me that would not be long enough, so I increased it to 30. That did not make a difference at all. Smaller companies still signed up and converted, larger companies "ignored" any time limits and just assume that those don't apply to them.

Based on all the comments now I wonder if I should have a "base" plan that has the cost on the website and an Enterprise / Custom plan with a "Contact us" button. I pretty much know what a customer costs "on average", so that's not difficult.

Curious, did you see the short demo video on the website? There is a short one on the main site "below the fold" and there are two more in the "Resources/Videos" section. I am working on a longer version that I can send out to potential customers instead of a demo initially. Yeah, I've seen and felt the "single pain of glass" many times :D

I'd love to take you up on that offer, thanks, a lot!

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

anamax · 4 years ago

You don't understand where you are in the business lifecycle.

You're very early. Paying customers are the most important thing for you to get.

However, it doesn't matter how much the first 1% (of your target market) pay, now or in the future. (If you're successful, they're only 1%. If you're not successful....)

Let's assume that success is 100k-1M paying customers.

Anything that gets in the way of someone being one of your first 1,000 paying customers is bad. Not telling the price upfront is one such thing. Trying to charge "market/what it's worth" is another.

Now is not the time to optimize pricing. In fact, you should tell the first 1-2% of paying customers that they will always and without any effort on their part get better pricing than anyone else going forward.

Yes, you should ask them what they think other people should/would pay....

david_obrien · 4 years ago

I appreciate that comment, thanks. It does feel a bit like a catch22, that I am definitely trying to solve.

ARGOS does have early paying customers, and of course they are heavily discounted (and they know).

You mention not telling a price is an issue (and so have others, point taken), but also say I shouldn't focus on price right now. I'm trying not to. So, what's your recommendation? Should I remove the page? Rename it to something like "Plans" and not "Pricing"? But then I'm still not telling you how much it will be. I know how to deal with this when talking to someone, but what I'd be really interested in what you would expect on a website, knowing what you told me.

Seriously, thanks!

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

ldoughty · 4 years ago

keep in mind, AWS best practices (and IAM limitations, for those without resources/time to finely craft the boundaries) encourage account sprawl...

Not all customers spread out like we do... but I manage over 50 AWS accounts, and our DevOps team is 7 FTE... Our application/situation is admittedly unusual, but I could easily see a small business using 10 accounts to manage their org and a single "product"

david_obrien · 4 years ago

I used to be a consultant building exactly those designs, limit the blast radius, have separate accounts etc.

"In the earlier days" of ARGOS that's exactly why I didn't charge per Account, but different ways (tried # of resources, then % of spend) and people were always confused.

Similar to the "take the price off the website" that customers told me, me charging per Account is also what customers asked me to do.

What do you think would a good unit be for a product like this? I'm happy to try anything really, as long as it helps companies be more secure.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

corobo · 4 years ago

If you reload the page the issue does go away... but only technically.

The issue is the page references a few images over http, which redirect to their https form with a permo redirect so the browser knows the new location when you refresh. Your browser also now has the image cached too so doesn't need to request it

One of those two seem to make it stop flagging the problem. I guess the browser only complains if it needs to make the request

@OP: I'd do a search and replace http://domain to https://domain and try to use relative urls where you can in future (I am aware this was probably a WordPress thing, not a you thing!) - My go-to for this is https://wordpress.org/plugins/better-search-replace/ for the content side and a good ol text editor in your theme files if needed, should be good to go :)

david_obrien · 4 years ago

Thanks, I'll definitely look into that.

david_obrien commented on Show HN: I made a cloud security product that actually saves time argos-security.io/?... · Posted by u/david_obrien

egberts1 · 4 years ago

As an IDS/IPS software architect with a mind to use my private cloud for a checkout on security, I did the following on iPhone FIREFOX.

1. read the main page (noted accessibility issue in other comment)

2. Read the footer

3. Chooses and read FAQ

4. Choose and read Features

Almost went to Feature as first click. Probably wish I did.

It did feel that it was targeted toward enterprise and smartly so. I am inclined to contact but it’s a private cloud with propensity for walled garden (nearly airgapped).

If I were a real enterprise with private clouds, I too be curious about this functional set and whether they can be applied toward the airgapped cloud.

Nicely and tersely written for the target SEIM, CCIT and cloud-owner audience.

No bite here as my private cloud isn’t up for peerage, external, that is. And my customers have private clouds too.

Again, very nice from this angle.

david_obrien · 4 years ago

Thanks for that detailed response. ARGOS definitely feels more like an Enterprise / larger SMB product, unfortunately, I think this is mostly due to where people are really feeling "the need" for cloud security. I had many conversations with smaller organisations / startups and most of them said that they could not spend money on something like cloud security (AV and Firewall was #1 spend in those conversations, very interesting) or sometimes even didn't believe that cloud security was a problem ("doesn't Microsoft/Amazon take care of this for me?").

So, as much as I'd like to help smaller organisations, it seems only at a certain size do people really recognise this as a problem.

What do you think? Also, what made the site "targeted at Enterprise" in your opinion?

Also, yes, ARGOS is, for now, only public cloud, no private cloud.

Thanks again.